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The need for Counter-CNE... ‘

 

 

 

- Foreign and friendly actors often encountered

° CNE operators do not pursue them beyond their targets
° Reporting groups need to be made aware

- OPSEC evaluation is needed

- Active pursuit of CNE actors: a different ballgame
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Outline

- Introduction CCNE at CSEC
° CCNE tools and methods
SNOWGLOBE

° De-confliction
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o Part of CSEC CNE operations (KO)
- Recently formed matrix team

o Analysts and operators from CNE Operations, IO Reporting
Lines and Global Network Detection

o Mandate:
— Provide situational awareness to ONE operators
— Discover unknown actors on existing CNE targets
— Detect known actors on covert infrastructure
— Pursue known actors through CNE
— Review OPSEC of ONE operations
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CNE Toolkit: WARRIORPRIDE

 
  

 

 

° WARRIORPRIDE (WP):
— Scalable, Flexible, Portable CNE platform
— Unified framework within CSEC and across the 5 eyes

— Do more with less effort
' Common framework for sharing code/plugins across the 5 eyes
° WARRIORPRIDE is an implementation of the “WZOWSKI” 5-eyes API

— WARRIORPRIDE@CSE/etc. == DAREDEV|L@GCHQ
° WARRIORPRIDE

— xml command output to operators
— Several plugins used for machine recon / OPSEC assessment
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WARRIORPRIDE

 

Transaction Id: 133546

Core storage files for implant lZ'?.U.IZI.l
Plugin Stare: c:‘u.Tamp‘u.~DFBBE9.tmp
Config Stare: c:‘-.Tamp‘u.configFilaSYS.5375
Note that. t 5 command does not list. plugi
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WARRIORPRIDE plug-ins and output ‘

 

 

- Several WP plugins are useful for CCNE:
— Slipstream : machine reconnaissance
— ImplantDetector : implant detection
— RootkitDetector : rootkit detection
— Chordflier/U_ftp : file identification / retrieval
— NameDropper: DNS
— WormWood : network sniffing and characterization

- Already used for ONE OPSEC

- Used for precise identification and heuristics
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WP xml output (raw)

<?xml version="1.0" encoding="UTF-8"?>

<response xmlns:xsi="http:/lwww.w3.org/2001/XMLSchema—instance"
xsi:noNamespaceSchemaLocation="U_FiIeCollectoer/U_FileCol|ectoer_2.15.xsd"><implantl
d>51.1.2.160<limp|antld><transaction><transactionSource>50.0.0.101<ltransactionSource><tr
ansactionld>320453<ltransactionld><ltransaction><timestamp><TLT>2010-02-
23T15:53:06.366</TLT><UTC>2010-02-
23T15:47:43.448</UTC></timestam p><errors><errorPlugin>O<lerrorP|ugin><errorOs>O<lerror
Os><lerrors><com mand|nfo>fcstart<lcommand|nfo><responseDetaiIs><fcstart><status>8ucce
ss<lstatus><standbyM 0de>FALS E<lstandbyMode><lfcstart><lresponseDetai|s><lresponse>
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WP SLIPSTREAM output (parsed)

[2010/05/18 - 16:28:05 (UTC)] Transaction Id: 582966
U_SLIPSTREAM - <ssservices>

Implantld: <51.8.1.13>

Timestamp (UTC): 2010/02/09 06:42:42

 

 

PAGE : 1 of 1

-----  

PID |Service Name I |Status |Startup Type |Service Process Type|Display Name |Binary Path

----- 

924 |AeLookupSvc |RUNNING |AUTOMATIC |SHARED Application Experience Lookup Service |
C:\WINDOWS\system32\svchost.exe -k netsvcs

0 |A|erter |STOPPED |DISABLED |SHARED |A|erter |C:\WINDOWS\system32\svchost.exe -k
LocalService |

3184 |ALG |RUNNING |MANUAL |OWN PROCESS |Application Layer Gateway Service |
C:\WINDOWS\System32\alg.exe |

O |Apngmt |STOPPED |MANUAL |SHARED |Application Management |C:\WINDOWS\system32\svchost.exe
-k netsvcs |

924 |AudioSrv |RUNNING |AUTOMATIC |SHARED |Windows Audio |C:\WINDOWS\System32\svchost.exe
-k netsvcs |

O |BITS |STOPPED |MANUAL |SHARED |Background Intelligent Transfer Service |
C:\WINDOWS\system32\svchost.exe -k netsvcs |

O |Browser |STOPPED |AUTOMATIC |SHARED |Computer Browser |C:\WINDOWS\system32\svchost.exe
-k netsvcs |

1028 |ccEvtMgr |RUNNING |AUTOMATIC |SHARED |Symantec Event Manager |"C:\Program Files\Common
Files\Symantec Shared\ccSvcHst.exe" In ccCommon |

1028 |ccSetMgr |RUNNING |AUTOMATIC |SHARED |Symantec Settings Manager |"C:\Program Files\Common
Files\Symantec Shared\ccSvcHst.exe" In ccCommon |

1708 Cissesrv |RUNNING |AUTOMATIC |OWN PROCESS |HP Smart Array SAS/SATA Event Notification Service |"C:\Program

iles\HP\Cissesrv\cissesrv.exe" |
0 |CiSvc |STOPPED |DISABLED |SHARED |Indexing Service |C:\WINDOWS\system32\cisvc.exe
|
O |ClipSrv |STOPPED |DISABLED |OWN PROCESS |ClipBook
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WP SLIPSTREAM output... drivers
Efgiiaz'aarégzIIJgigLT'amI (parsed)

Implantld: <51.B.1.13>
Timestamp (UTC): 2010i02/09 06:42:43

 

 

PAGE : 1 of 1
---| I I I I I I
SCM|Driver Name |Status |Startup Type |Driver Type |Display Name |Binary Path
|
---| I I I I I I
|ntoskrnl.exe |RUNNING | | | |C:\WINDOWS\system32\ntoskrnl.exe |
|hal.dl| |RUNNING | | | |C:\WINDOWSIsystemSZIhaldll |
|KDCOM.DLL |RUNNING | | | |C:\WINDOWS\system32\KDCOM.DLL
|
|BOOTVID.dII |RUNNING | | | |C:\WIN DOWS\system32\BOOTVI D.d||
|
|ACPI.sys |RUNNING | | | |ACPI.sys |
|WMILIB.SYS |RUNNING | | | |C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
|
|pci.sys |RUNNING | | | |pci.sys |
|isapnp.sys |RUNNING | | | |isapnp.sys |
|pciide.sys |RU NNI N6 | | | |pciide.sys |
|PCIIDEX.S\|’S |RUNNING | | | |C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
|MountMgr.sys |RUNNING | | | |MountMgr.sys |
|ftdisk.sys |RUNNING | | | |ftdisk.sys |
|dm|oad.sys |RUNNING | | | |dm|oad.sys |
|dmio.sys |RUNNING | | | |dmio.sys |
|Volsnap.sys |RUNNING | | | |volsnap.sys |
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REPLICANTFARM

- Extend WP output to a signature based system:
REPLICANTFARM

° Module based parser/alert system running on real-time
CNE operational data

° Custom/module based analysis:
— Actors
— Implant technology
— Host based signatures
— Network based signatures
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REPLICANTFARM generic modules ,

- Cloaked ° Kernel cloaking

 
  

 

 

- Recycler - Schedule at
- Rar password - Ntuninstall execution
- Tmp executable - hidden

- Packed

- Peb modification
- Privileges

- MS pretender

- System32 “variables” Other ideas....
- Strange DLL

exte n SI 0 n S
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Generic modules : example

my @runningProcs : xml_isProcessRunning( $xml, 'svchost.{1,3}\\.exe'.
'winlogon.{l.3}\\.exe'.

'services.{l,3}\\.exe',
'Isass.{l,3}\\.exe',
'spoolsv.{l.3}\\.exe'.
'autochk.{l,3}\\.exe'.
'Iogon.{1.3}\\.scr',
'rundll32.{1,3}\\.exe',
'chkdsk.{1,3}\\.exe',
'chkntfs.{1,3}\\.exe' .
'Iogonui.{l.3}\\.exe'.
'ntoskrnl.{l,3}\\.exe'.
'ntvdm.{1,3}\\.exe'.
'rdpclip.{1,3}\\.exe',
'taskmgr.{l,3}\\.exe',
'userinit.{l,3}\\.exe'.
'wscntfy.{1.3}\\.exe'.
'tcpmon.{l,3}\\.dll' );

foreach my $runningProc (@runningProcs)

{
}

$alertText .— "Suspicious process detected. legitimate exe named appended with string: " . $runningProc . ".\n";
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RF specific signatures

- KNOWN actor filenames, processes, covert stores:
— MAKERSMARKIFANNER
— SEEDSPHERE/BYZANTINE
— ALOOFNESS
— SNOWGLOBE
— VOYEUR
— SUPERDRAKE
— GOSSIPGIRL

- Infrastructure
— Known IP addresses
— Known DNS queries

- Other tools
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Specific signatures : example

 

 

# Check a known drivers present

my @driversPresent = xm|_isDriverPresent( $xml, 'usbdev\\.sys', 'acpimem32\\.sys',
'usblink32i\\.exe', '\\$NtUninsta||Q722833\\$' );

foreach my $driver (@driversPresent)

$a|ertText .2 "Possible MM CARBON driver detected: " . $driver . ".\n";
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Operations

- Routine operations for CCNE investigations on current

targets
— Execution of OPSEC related plugins
— Collection of files
— Examination of network activity

 

 

 

- Blanket approvals for addition of selectors to level 4 OPs
against known actors: example WATERMARK operations

against MAKERSMARK

0 Standard operating procedures for level 2 — level 4
operataions against foreign CCNE actor infrastructures

I“
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CCNE I OPSEC page on 5-Eyes K1$VN
Wiki

I * I Communications Security Centre de la sécurité

 

 

° Contains reverse engineering reports for CNE / IO
consumption

- Even logs and notes for several actors
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CCNE operations — Covert Infrastructure

° Some fusion of the WP and CCNE infrastructures
— Dedicated ORB for CCNE
— Unattributed dialups to the ORB

° Philosophy: use low hanging fruits against the actors
(public exploits and tools if available)

- Discussions regarding repurpose of foreign toolkits

- De-confliction
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SNOWGLOBE

- Provide the historical account of the activity on
DOURMAGNUM (Imam Hussein University)

° Implant identified while investigating another
unattributed actor

- rar archiving of emails on target

° Beaconing using HTTP to php-based listening post
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 ECNEiOpsec WPID Alerts - Mozina Firefox
Eile Edit Eiew History ﬂookrnarks Inels ﬂelp

01 *c m-b— 

E: Most‘u'isited ,_ Getting Started .1 Latest Headlines L'I'I' < Operations <  " Opser - klsvn - Trar _, CCNEE'OPEEE Systems ,_ httqufebelixfsystemInfof

 

 

 

 

 

 

 

 

 

,; http1,";‘olzieliioI x P. CCNEg'Opsec WPID Alerts x g CCNEJOpse-e WPID- Alerts x ‘1‘ Opsec — klsvn x '0' Opsec — klsvn K
CCNEiOpsec W PID Alerts
Note rho: the search as done we}: the ﬁeld: a: per} reguiar expresswns. .‘
Ens-mm:
' Dmﬁ.)mzs1:1gledm m [M m PL MJIWJIOJﬁm‘lanl MJEM‘pl m_m_sn_mipl am_24_mmﬂwiyl _3l}4_UNEC_WIN'PAC.T.pl and} lB_UNK_W]DUWKEY.pI m_5N_SJ_DDNT.p1. nud_7_m
wﬂdwds m-lw im m I' nuld_l]_drﬂ!md pl mod_l§_lecydamtpl nud_ﬂll_SD_MIlfFFP,§l m_l$_privi_legaspl _305_IM{_1ASEX,91 nmd_311_LM{_CI\-'ETCAT pl nud_5_hm1|i,pa pl nmd_ _~
- Dm-surinny m-ml-W-Cmm 4’ m_1m_u_m.mmsspl m_17_mpm:.p1 m_1o_pmmmm.p1 m_soo_um_mvslpl _306_Lmtc_wm1mm're.p1 abod_3_nmwﬂuzpl m_5m_en_nmmrr.p1 museum;
mote-um: m-m-W—mmqu pl m_12_symm2wpl m_1s_passmmm.pl am_21_aammm m_3|!l_U'NK_BLAEJNGﬂNG-ﬂ.al _3I]1_UNK_QUIVERING‘5QUAB§:I m_m_ss_meEE.m m_om_o11_FLm pl m_R_ErI_
:- 55mg mm 51w. 1', 13 m-lm-m—DDGHUUSE  m_13_mm: pl Jimmy m_u_mmmpt m_3m_mree pl guaranty-meow “3915555111:er nus-d_5_1'_uﬂwndns pl m_m=i_
- mcm: smrn m-lm-W-wm 1 m_14_gnmgeaummim.pl m_1_pu:m.;1 MJJJMIGEIPI. m_303_U'NI_CTDU_.pl _309_UNK_DEESELR.AmE.pl m_m_ss_supn.pl m_rm_se_caoeomnp1 m_R.Fi_
:- mum Asa: — - - 9
mw. 7
sum Rm: undue Regent j'DELSG, Hm: 
Live;
ALERTS
WEI}: Module: moéiimisﬁimOCOPOPpl Date: WETlGﬂSﬁlﬂﬂﬁ Tag: SIG File name: ,,iﬁalastme‘arcﬁveiﬁﬂﬂwmﬂﬂﬂﬂﬂ'iﬂDODDOOﬁﬁi37187Y2009M09D307H10M1-
Details:

Possible SNOW-’0]. OBE CHOCOPOP process detected: cmdexe .-"C “cf-RECYCLER'iS—l-5—21—101T96659—410234-68F5-220983236—500"rar.exe" a —r —i:r1u.l -hploclc‘£ess —aprfeghl1i —mld temp'ilﬁ-Srar ciﬂﬂlAEMOlT-Userslﬂlue-
Possible SNOWGLOBE CHOCOPOP process detected: cmdexe IC ""c:"-R.ECYCLER"-.S—l —5—21—1ﬂlwoo-5941023468FE-EZWBSEBﬁ-Sﬂﬂirarexe“ a —r —i:r1ul -11ploclr.less —aprfegl1l1i —mld temp'do-Srar efﬁbmAEh-ION-Users'ﬁﬂlu.a-
Possible SNOWG]. OBE CHOCOPOP process detected: "c5‘RECYCLER":S—l—S—21—101796669—4143234687‘5—220983235—500"-:rar.exe" a —r —irml —hplocldess -apSNazarian —m1d Cf-WDNDOWSiTEIs-[Pll65.1'21’ cfﬁk-EDAEMDNUSI
Possible SNOW-'0]. OBE CHOCOPOP process detected: "C‘I‘RE-C-Y'CLER-ES-l-S-l1-101796663-4162346875-220983236-50'0‘TEI.EXE" a —r —imll —hplocldess —apSNazarian —tr11-cl Cf-VHENDO'WSiTE-IVEPEliﬁﬁrar cilh'EDAEIleN-XUSI
Possible SHOWS]. OBE CHOCOPOP process detected: cmd.exe .-"C ""cf-RECYCLER‘IS—l—SQ 1—101796659—4102346831'5-220983236—500":ar.exe" a —1' —inLﬂ -hplocidess —apSI‘Caza.n'an 411111 temp-166:3 c:"-1W3.—‘l..EMDN=Users"-ﬂ1
Possible SNOWG]. OBE CHOCOPOP process detected: cmdexe RC ""c:"-R.EC'S:'CLER"-.S—l —5—21—1ﬂl?96669-410234~58F5 220983236-5091'31'. exe" a —1' —inul —11plock:less —apSNaza.rian 411111 temp"-.166.rar c:"-1W3.—‘l._E!le]\"Users'-ﬂ1
Possible SNOWG]. OBE CHOCOPOP process detected: "c:'WRECE'CLER":S—l—S—21—101795669—4143234687‘S—22098323I5—500"-rar.exe" a —r —£r1ul —hplocldess -aplcpr1azari —m1d C5ﬁ‘.ﬂ\DGWS"=TE1‘¢£P".166H: cribﬂjAEMON-Eser:
Possible SNOW’G]. GEE CHOCOPOP process detected: "ci‘iRECYCLE-R'ES—l5—21—10]i96669-41G2345875—22UPSSESﬁ—Sﬂﬂ‘rerexe" a —r —£t1u.l —hploeldess —aplcpr1azari —mld Cf'AVv’ﬂNTDOKVSETEBIP".lﬁﬁfar c;‘-L-ﬂ3AEMON‘-.User:
Possible SNOW-’0]. OBE CHOCOPOP process detected: cmdexe .J'C ""c:"-R.ECYCLER"-.S—l-S—21—101796659—410234-58i5-220983236—500"rar.exe" a —r —inul -hploc1ciess —aplcpuaza.ri {ml-cl temp? 15613: ci'-J.-ﬂ3AEMOI\"-.Users"-ﬂ1u.
Possible SNOWGLOBE CHOCOPOP process detected: cmdexe IC ""c:"-R.ECYCLER"-.S—l —5—21—101i96569-4102346835-220983236-5DD‘rar. exe" a —r —inul -hplockiess —aplepnaza.ri —m1d temp'dﬁﬁrar cz'A'ﬂJAEMON‘Esers-ﬂm.
Possible SNOWG]. OBE CHOCOPOP process detected: "c:"RECYCLER"=S—l—S—21—101795669—4143234687‘5—220983235—500"-rar.exe" a —r —£r1ul —hplocldess -apmsaadati —m1d CEWE’DCDOW'SII'ENEE’11664's! CFA'DAEMON-User
Possible SNOW-'0]. OBE CHOCOPOP process detected: "cCWRECYCLER‘aS-l-S-l1-101796669-416233:68TS—ﬂﬂQSSESﬁ-Sﬂﬂ‘rsrexe" a -r -it1ul -hplocldess -apmsaadaﬁ -m1d C{WWDEDOWS'TENIE145613! c:‘-kﬂ3AEMON-User
Possible SNOWG]. OBE CHOCOPOP process detected: cmclexe .J'C ""c:‘-R.ECYCLER‘-.S-l-S-21-101796659-410234-58T5-220983236-500"rar.exe" a -r —inLd -hplocicless -apmsaadati -mld Eemp'llﬁvﬁxsr c;‘-1\«lDA.EMOI~"-.Users‘-ﬂ1u
Possible SNOWG]. OBE CHOCOPOP process detected: cmdexe [C ""c;"-R.ECYCLER"-.S-l -S-21-101?9I5669-410234-68F5 42098323650033. exe" a -r —inul -hploclr.less -apmsaadati -b:1].d temp-116613! c:"-Lﬂ3AEMOIC-Users‘-ﬂm
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SNOWGLOBE on target ‘

 

 

 

Possible SNOWGLOBE CHOCOPOP process
detected:

cmd.exe /C ""c:\RECYCLER\S—1-5-21-101796669—
4102346875-220983236—500\rar.exe" a -r -inu|
-hplockless -aprfeghhi -tn1d temp\168.rar

c:\M DAEMON\Users\ihu.ac.ir\rfeghhi\md5*.msg">nul.

Safeguarding Canada’s security through information superiority C a

Préserver la sécurité du Canada par la supériorité de i ’information

TOP SECRET II COMINT

 
  

Establishment Canada des telecommunications Canada

SNOWGLOBE implant

I * I Communications Security Centre de la sécurité

 

 

- Injects itself in svchost.exe
- No cloaking / no hooking

° Bootstraps in service called MSDTC64 (distributed
transaction coordinator 64b

° Service entry is permanent

- Executable kept on disk in system32
° Crypto: 16 byte string XOR

° http beacons and tasking

° Actor observed upgrading on target
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SNOWGLOBE activity and attribution

 
  

 

 

- Targeting is scarce but resembles CT / CP priorities
- French localisation seen in exploit PDFs (GCHQ)

° French commentary in the binary

- French binary name / developer path

- Observed in Iran, Norway, Greece, Belgium, Algeria,
France, US targets

- Listening posts worldwide — several French legit sites

- Now seen in passive collection, several reports
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De-confliction : on CCNE operations a

 

 

° State-sponsored landscape is very busy
° CCNE Targets are de-conflicted
- Actors on CCNE targets are not

- Covert nature of foreign (and friendly actors) make de-
confliction challenging

- Often need to refer to precise technology for identification

0 CNE / CCNE from SIGINT + HUMINT need to get
together on this issue
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De-confliction FAIL

 

 

 

  

 

 

o Actor discovered 
o 5 eyes effort 80 81 gr) DEV
. Several cohabitations  =    l
- At CSEC: 400 man-hours:   
— Over 20 ONE Operations  ______________  ______ _  __________ __
— Passive Collection  ' User E k}: 32
— 4 Reports  
— Reverse engineering ‘EM‘D‘é‘:\"’:HT'T;"  ____ __ Eff
— Planning of active operations  User (I A
iféiii‘féﬁ'ﬁiéi’li‘éﬁ$355:LETEihuii'éﬁL'Ei’SZZ$33221,” Canadﬂ
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Conclusion

° CCNE effort essential to the national cyber mandate:
— CNE situational awareness
— New actor discovery
— Tracking known actors

° Several new actors discovered using this process

° De-confliction needs to be improved
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MM CCNE contacts
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